SlideShare ist ein Scribd-Unternehmen logo

TDIS 2014 - Dealing with the risks: web applications

Als PPSX, PDF herunterladen
Malik Mesellem
Malik Mesellem

Event: Trusted Digital Identity Symposium 2014 Topic: Dealing with the risks - web applications Location: Living Tomorrow (Brussels Vilvoorde) Organizer: Vasco Data Security

Präsentationen & VorträgeTechnologieBildung
1 von 44
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com

Empfohlen

MME Company Presentation
MME Company PresentationMME Company Presentation
MME Company PresentationMalik Mesellem
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Global Knowledge Training
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
B.tech cloud technology and information security
B.tech cloud technology and information securityB.tech cloud technology and information security
B.tech cloud technology and information securityiNurture Education Solution pvt ltd
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Edureka!
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteIBM Security
 

Empfohlen

MME Company Presentation
MME Company PresentationMME Company Presentation
MME Company PresentationMalik Mesellem
 
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaTop 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | Edureka
Top 10 Reasons to Learn Cybersecurity | Why Cybersecurity is Important | EdurekaEdureka!
 
Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Building Up Network Security: An Introduction
Building Up Network Security: An Introduction Global Knowledge Training
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaEdureka!
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
 
B.tech cloud technology and information security
B.tech cloud technology and information securityB.tech cloud technology and information security
B.tech cloud technology and information securityiNurture Education Solution pvt ltd
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...Edureka!
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteIBM Security
 
Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudRH
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021TrustwaveHoldings
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。eLearning Consortium 電子學習聯盟
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted ExchangeIntermedia2013
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesInformation Technology
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentIBM Security
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeIBM Security
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI CertificationSagarNegi10
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ SagarNegi10
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOSagarNegi10
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
 

Weitere ähnliche Inhalte

Was ist angesagt?

Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudRH
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021TrustwaveHoldings
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted ExchangeIntermedia2013
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesInformation Technology
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentIBM Security
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeIBM Security
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI CertificationSagarNegi10
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ SagarNegi10
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOSagarNegi10
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecuritylfh663
 

Was ist angesagt? (20)

Readying your IT Infrastructure for Cloud
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021Cybersecurity education catalog sae september 2021
Cybersecurity education catalog sae september 2021
 
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
 
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
02 學校網絡安全漏洞的評估分享, 管理挑戰及趨勢。
 
Security With Hosted Exchange
Security With Hosted ExchangeSecurity With Hosted Exchange
Security With Hosted Exchange
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
CEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN TechnologiesCEH Training in Gurgaon :SSDN Technologies
CEH Training in Gurgaon :SSDN Technologies
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
 
Akamai Intelligent Edge Security
Akamai Intelligent Edge SecurityAkamai Intelligent Edge Security
Akamai Intelligent Edge Security
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Tolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't SeeTolly Report: Stopping Attacks You Can't See
Tolly Report: Stopping Attacks You Can't See
 
CHFI Certification
CHFI CertificationCHFI Certification
CHFI Certification
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
 
CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+ CompTIA Security+ Certification | Sec+
CompTIA Security+ Certification | Sec+
 
CISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSOCISSO Certification| CISSO Training | CISSO
CISSO Certification| CISSO Training | CISSO
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TIC
 
A Career in Cybersecurity
A Career in CybersecurityA Career in Cybersecurity
A Career in Cybersecurity
 

Ähnlich wie TDIS 2014 - Dealing with the risks: web applications

Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?IBM Security
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...IBM Security
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsIBM Security
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Remote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaRemote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaPrime Infoserv
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionAlert Logic
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet IBM Sverige
 
Mining attackers mind
Mining attackers mindMining attackers mind
Mining attackers mindkeyuradmin
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
The anatomy of a spear phishing attack
The anatomy of a spear phishing attackThe anatomy of a spear phishing attack
The anatomy of a spear phishing attackVade Secure
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionAlert Logic
 

Ähnlich wie TDIS 2014 - Dealing with the risks: web applications (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Remote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaRemote Workforces Secure by Barracuda
Remote Workforces Secure by Barracuda
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet Ola Wittenby - Hotlandskapet på Internet
Ola Wittenby - Hotlandskapet på Internet
 
Mining attackers mind
Mining attackers mindMining attackers mind
Mining attackers mind
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 
The anatomy of a spear phishing attack
The anatomy of a spear phishing attackThe anatomy of a spear phishing attack
The anatomy of a spear phishing attack
 
Solution Brief
Solution BriefSolution Brief
Solution Brief
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
03 secure the computer
03 secure the computer03 secure the computer
03 secure the computer
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload ProtectionReducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
 

Kürzlich hochgeladen

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 

Kürzlich hochgeladen (20)

WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 

TDIS 2014 - Dealing with the risks: web applications

  • 1. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks web applications Malik Mesellem
  • 2. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem, Ethical Hacker  MME BVBA, founded in 2010  Specialized in audits & training  Objective approach, independent  Focus to advise and to educate @MME_IT #bWAPP | ITAudits&SecurityMME
  • 3. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 4. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 5. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Web application security is today's most overlooked aspect of securing the enterprise  Hackers are concentrating their efforts on websites and web applications  Web apps are an attractive target for cyber criminality, cyber warfare and hacktivism
  • 6. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 7. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Defense needed  Why are web applications an attractive target?  Easily available via the Internet (24/7)  Mission-critical business applications with sensitive data  Often direct access to backend data  Traditional firewalls and SSL provide no protection  Many applications are custom-made == vulnerable
  • 8. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DEFENSE is needed !
  • 9. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 10. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  bWAPP, or a buggy Web APPlication  Deliberately insecure web application, includes all major known web vulnerabilities  Helps security enthusiasts, developers and students to discover and to prevent issues  Prepares one for successful penetration testing and ethical hacking projects
  • 11. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Web application security is not just installing a firewall, or scanning a site for ‘potential’ issues  Black-box penetration testing, simulating real attack scenarios, is still needed!  Confirms potential vulnerabilities, and excludes false positives  Guarantees that your defense measures are working effectively  bWAPP helps to improve your security-testing skills…
  • 12. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 13. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  What makes bWAPP so unique?  Well, it has over 100 web vulnerabilities  Covering all major known web bugs  Including all risks from the OWASP Top 10  Focus is not on one specific issue!
  • 14. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Commercial Web Scanners
  • 15. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (1)  SQL, HTML, SSI, OS Command, XML, XPath, LDAP, PHP Code, Host Header and SMTP injections  Authentication, authorization and session management issues  Malicious, unrestricted file uploads and backdoor files  Arbitrary file access and directory traversals  Heartbleed vulnerability (OpenSSL)  Local and remote file inclusions (LFI/RFI)  Server Side Request Forgery (SSRF)
  • 16. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (2)  Configuration issues: Man-in-the-Middle, Cross-Domain policy file, FTP, SNMP, WebDAV, information disclosures,...  HTTP parameter pollution and HTTP response splitting  XML External Entity attacks (XXE)  HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues  Unvalidated redirects and forwards  Denial-of-Service (DoS) attacks
  • 17. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today? (3)  Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)  AJAX and Web Services issues (JSON/XML/SOAP)  Parameter tampering and cookie poisoning  HTTP verb tampering  PHP-CGI remote code execution  Local privilege escalations  And much more 
  • 18. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  Which bug do you want to hack today?
  • 19. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework
  • 20. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Security framework  External links  Home page - www.itsecgames.com  Download location - sourceforge.net/projects/bwapp  Blog - itsecgames.blogspot.com
  • 21. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 22. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  SQL injection is very common in web applications  Occurs when user input is sent to a SQL interpreter as part of a query  The attacker tricks the interpreter into executing unintended SQL queries
  • 23. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Injection in the OWASP Top 10
  • 24. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Normal operation DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login password SELECT * FROM table WHERE login = ‘login’ AND password = ‘password’ result HTML SQL
  • 25. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. DATABASE SQL interpreter WEB APP HTML | SQL BROWSER HTML (GET/POST) login ’ or 1=1-- SELECT * FROM table WHERE login = ‘login’ AND password = ‘’ or 1=1-- ’ result HTML SQL SQL injection  Abnormal operation
  • 26. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Simple injections  '--  ' or 'a'='a  ' or 'a'='a'--  ' or '1'='1  ' or 1=1--
  • 27. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL injection  Union injections  ' UNION SELECT field1, field2 FROM table--  ' UNION SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=database()--  Stacked queries  '; DROP TABLE table;--
  • 28. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. SQL Injection
  • 29. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  SQL injection  Bypassing login forms  Manually extracting data  Automated SQL injection  Website defacement
  • 30. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 31. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.
  • 32. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  Cross-Site Scripting, or XSS, occurs when an attacker injects a browser script into a web application  Insufficient validation of user-supplied data  Dangerous when it is stored permanently!  XSS can lead to  Website defacements  Phishing / session hijacking  Client-side exploitation
  • 33. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Cross-Site Scripting  XSS in the OWASP Top 10
  • 34. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Cross-Site Scripting  Detecting XSS  Phishing attack  Client-side exploitation
  • 35. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Heartbleed bug  Vulnerability in the popular OpenSSL cryptographic software library, discovered in April 2014 (!)  Allows stealing information protected by SSL/TLS… just by sending a simple heartbeat request!  Sensitive data that might be stolen  Logon credentials  Session data  Private keys
  • 36. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Heartbleed bug  Stealing credentials
  • 37. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Denial-of-Service attack, or DoS attack  Attacker attempts to prevent legitimate users from accessing the application, server or network  Consumes bandwidth, server sockets, or CPU resources  Distributed Denial-of-Service attack, or DDoS  Popular techniques used by hacktivists
  • 38. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Newer layer 7 DoS attacks are more powerful!  “Low-bandwidth application layer DoS”  Advantages of layer 7 DoS  Legitimate TCP/UDP connections, difficult to differentiate from normal traffic  Requires lesser number of connections, possibility to stop a web server from a single attack  Reach resource limits of services, regardless of the hardware capabilities of the server
  • 39. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Denial-of-Service  Layer 7 DoS methods  HTTP Slow Headers  HTTP Slow POST  HTTP Slow Reading  Apache Range Header  SSL/TLS Renegotiation  XML Bombs
  • 40. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Don’t try @ home!  Denial-of-Service  HTTP Slow POST
  • 41. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Dealing with the risks  Contents  Defense needed  Security framework  Attack scenarios  Superbees wanted
  • 42. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. Superbees wanted  Hi little bees, during this talk we  Defaced the website  Compromised the server  Compromised a client  Made the server unreachable  Hijacked a session  Stole credentials…
  • 43. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved.  And we have so much more bugs to exploit…  Definitely time to improve your web security  Defense is needed, security-testing is required!  Downloading bWAPP is a first start  Remember: every bee needs a superbee  Are you that superbee? Superbees wanted @MME_IT #bWAPP
  • 44. Dealing with the risks: web applications | © 2014 MME BVBA, all rights reserved. About me  Malik Mesellem Email | malik@itsecgames.com LinkedIn | be.linkedin.com/in/malikmesellem Twitter | twitter.com/MME_IT Blog | itsecgames.blogspot.com